Linux command
cfssl 命令
文本
涉及管道、覆盖或删除,执行前请先确认路径和参数。
常用示例
Initialize a new CA
cfssl gencert -initca [ca-csr.json] | cfssljson -bare [ca]
Generate certificate signed by CA
cfssl gencert -ca [ca.pem] -ca-key [ca-key.pem] [csr.json] | cfssljson -bare [cert]
Sign a CSR
cfssl sign -ca [ca.pem] -ca-key [ca-key.pem] [request.csr]
Generate self-signed certificate
cfssl selfsign [hostname] [csr.json] | cfssljson -bare [cert]
Start API server
cfssl serve -ca [ca.pem] -ca-key [ca-key.pem]
Bundle certificates
cfssl bundle -cert [cert.pem]
Print default configuration
cfssl print-defaults config
说明
cfssl is CloudFlare's PKI/TLS toolkit for signing, verifying, and bundling TLS certificates. It provides both a command-line tool and an HTTP API server for running a complete certificate authority. The toolkit handles the full certificate lifecycle: generating root and intermediate CAs, signing certificate requests, creating self-signed certificates, and building certificate bundles for deployment. Configuration files define signing profiles with specific expiry periods, key usages, and authentication requirements. The companion tool cfssljson extracts certificates and keys from cfssl's JSON output into PEM files. The multirootca component allows running a CA server with multiple signing keys for different purposes.
参数
- -ca _file_
- CA certificate file (default: ca.pem)
- -ca-key _file_
- CA private key file (default: ca_key.pem)
- -config _file_
- Path to configuration file
- -hostname _names_
- Comma-separated hostnames for SAN
- -initca
- Initialize new CA
- -remote _host_
- Remote CFSSL server address
FAQ
What is the cfssl command used for?
cfssl is CloudFlare's PKI/TLS toolkit for signing, verifying, and bundling TLS certificates. It provides both a command-line tool and an HTTP API server for running a complete certificate authority. The toolkit handles the full certificate lifecycle: generating root and intermediate CAs, signing certificate requests, creating self-signed certificates, and building certificate bundles for deployment. Configuration files define signing profiles with specific expiry periods, key usages, and authentication requirements. The companion tool cfssljson extracts certificates and keys from cfssl's JSON output into PEM files. The multirootca component allows running a CA server with multiple signing keys for different purposes.
How do I run a basic cfssl example?
Run `cfssl gencert -initca [ca-csr.json] | cfssljson -bare [ca]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -ca _file_ do in cfssl?
CA certificate file (default: ca.pem)